ben9035
asked on
Sonicwall DMZ Question
I have a SonicWall NSA 240 with a Primary and Secondary internet connection, set for failover and load balancing.
I have 3 machines that only have external IPs and I need to add them to the DMZ for the secondary internet connection.
I want to use X3-X5 as the ports for this, but can't seem to find out how to get it to work. I've looked through the Admin Guide, so please don't post that, I can't find the answer in it.
I have 3 machines that only have external IPs and I need to add them to the DMZ for the secondary internet connection.
I want to use X3-X5 as the ports for this, but can't seem to find out how to get it to work. I've looked through the Admin Guide, so please don't post that, I can't find the answer in it.
ASKER
They already have public IP addresses. I've setup the secondary gateway already, and already created WAN failover. I'm unable to get the external IPs working on interfaces X3-X5 because it keeps saying it's on the same subnet as X2 (secondary gateway). SonicWall told me this was possible before I bought the product, but, big shocker, the 24x7 support I pay for isn't being answered by a technician right now.
maybe they considered that you'd have those three ports in transparent mode.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979
when you configure a port in transparent mode, the IP addresses MUST be in the same subnet as the WAN interface.
i've never configured the sonicwall in this method before, but it seems plausible.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979
when you configure a port in transparent mode, the IP addresses MUST be in the same subnet as the WAN interface.
i've never configured the sonicwall in this method before, but it seems plausible.
ASKER
I added a new address object, gave it a range of .xx1-.xx5 (open ips of subnet), tried to add the interface X3 in transparent mode to the DMZ zone, and I get the error:
Error: Transparent Range not in WAN subnet
Error: Transparent Range not in WAN subnet
ASKER
Do the external addresses *have* to be a member of the primary WAN subnet, or can they be on the secondary?
since you want to include three, i'd create an address object for each rather than a range.
i don't believe so.
i don't believe so.
ASKER
don't believe they can be on the secondary?
I'll create addy obj for each and try....
I'll create addy obj for each and try....
ASKER
Adding address objects for all 3 IPs and going that route didn't do anything. I'm still getting the error.
i've been doing some reading and i'm seeing where you cannot use transparent mode where you've configured WAN load balancing or failover. i'll keep looking.
i think that error is starting to make more sense. if you've configured a port in transparent mode and have configured wan failover/load balance, the sonicwall must look at the primary gateway IP addresses when configuring the transparent mode settings.
you could possibly tell by disabling wan failover as a test, then try configuring transparent mode on the ports.
you could possibly tell by disabling wan failover as a test, then try configuring transparent mode on the ports.
ASKER
I've disabled the load balancing, but I don't see a selection for failover. Is that automatic with two WAN connections?
where are you configuring it? under network > WAN Failover & LB?
ASKER
Yes
ASKER
Ok. I switched primary and secondary gateways, and I got it to add. I setup a static route for any service from lan subnets to use the secondary gateway (what WAS primary, much heftier connection), so that's good. However, I can't ping from the machine that I got to use transparent mode. Ideas?
so, the clients on the LAN are able to ping to the internet, say, 4.2.2.2?
when you setup the transparent interface, did you use a range or a single IP? do you have the subnet mask and gateway correct as well as DNS?
when you setup the transparent interface, did you use a range or a single IP? do you have the subnet mask and gateway correct as well as DNS?
ASKER
Yes, I'm on the connection now.
I used a single IP. When I created the address object, I chose "DMZ" rather than "WAN", I didn't assign it a gateway or DNS as a result. Should I have done WAN?
I used a single IP. When I created the address object, I chose "DMZ" rather than "WAN", I didn't assign it a gateway or DNS as a result. Should I have done WAN?
in which IP subnet do you want the transparent (DMZ) hosts? the WAN or secondary WAN?
ASKER
WAN...now.
Wait...should there be a static route to take the traffic coming from X3 and pushing it out, say, X1 Gateway, X1 interface?
Wait...should there be a static route to take the traffic coming from X3 and pushing it out, say, X1 Gateway, X1 interface?
so, you configured an address object and gave it a public IP address within the subnet from WAN interface (but NOT the IP of the WAN interface), right?
then, you used that address object when you configured the transparent mode of the interface you used, right?
then, you configured the public IP assigned the address object to the workstation along with the subnet mask and gateway used for the WAN interface, right?
what DNS server have you used for the computer on the transparent port?
then, you used that address object when you configured the transparent mode of the interface you used, right?
then, you configured the public IP assigned the address object to the workstation along with the subnet mask and gateway used for the WAN interface, right?
what DNS server have you used for the computer on the transparent port?
ASKER
Yes
Yes
Yes
the ones for the WAN
Yes
Yes
the ones for the WAN
so, even after that, you can't ping anything on the internet? say, 4.2.2.2 (public DNS)?
ASKER
Nope. I'm confused now.
also, double check your firewall access rules. what zone did you assign the transparent mode to? make sure the access rules are allowing traffic. if DMZ, then DMZ > WAN and WAN > DMZ.
the steps say that you can also use either the ISP gateway (the one configured on your WAN interface) or the IP address assigned the WAN interface.
try changing this on your computer and let's see what happens.
try changing this on your computer and let's see what happens.
ASKER
firewall rules are good to go.
you're talking about for the gateway on the pc right?
you're talking about for the gateway on the pc right?
ASKER
Nothing.
yes.
hmmm. wished i could get a look at the config.
hmmm. wished i could get a look at the config.
ASKER
It's really weird. If I unplug the WAN interface, plug it into a switch, and plug the cable from the PC into the switch, everything works fine.
Kind of smells like a routing problem doesn't it?
Kind of smells like a routing problem doesn't it?
ASKER
Also, in the interface table, next to X3, it has the WAN ip listed, NOT the ip that I put into the address object. Is that normal?
yes, it does seem a route is not correct. either that or a misconfiguration. double check the address object assigned to the x3 interface. did you configure it as a host?
ASKER
Name: DMZ1
Zone Assignment: DMZ
Type: HOST
IP: in the same subnet as WAN
Zone Assignment: DMZ
Type: HOST
IP: in the same subnet as WAN
ASKER
X3 IP Any Any X1 Default Gateway X1 1 9
make the address object part of the WAN zone.
ASKER
Tried, nada.
i'm stumped. it seems you followed the KB exactly. i'm not sure what's left without seeing it.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979
ASKER
Understandable. Thanks a lot for all your help anyway.
sure. obviously, i'll keep monitoring it. when sonicwall's 24x7 support responds and IF they fix it, let me know what they figure out.
also, if i think of something else, i'll post.
ASKER
I'll definitely do that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thanks for posting the full solution and glad you got it working!
ASKER
Full description of problem and solution are within answer. Digitap tried to help me resolve, but we never came to a conclusion.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7781
regarding wan failover:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7828
regarding the DMZ, are you wanting to give these three computers a public IP each?